Phishing has been, for several years in a row, one of the main threats to the security of companies. It has become a regular presence in everyone’s daily life, and many organizations tend to overlook it, which is a costly mistake.
Statistics show that the number of threats of this type is constantly increasing. According to the Anti-Phishing Working Group (APWG), 2022 was a record year for phishing, with more than 4.7 million attacks (1). According to the cited source, more than 1.3 million unique phishing websites were detected in the fourth quarter of 2022 alone, which is the highest number ever recorded by the APWG.
The phenomenon is also visible in Romania – Business Internet Security Report 2022 (2) shows that, last year, phishing represented the third attack vector at the local level (with 21%). On the other hand, the alerts issued by the National Cyber Security Directorate (DNSC) on this type of threat are already a constant. Since the beginning of this year, DNSC issued a new warning on the risks posed by phishing campaigns, emphasizing the fact that trap messages are increasingly well written in Romanian and that fraud attempts are becoming more credible (3).
Ignoring risks creates damage
The situation is complicated by the fact that, as the DNSC warning also pointed out, attackers are getting better at creating and diversifying phishing campaigns, but also by the fact that they are using more and more propagation channels: email, SMS, social media, messaging clients.
On the other hand, attack methods are also continuously evolving. Currently, we are not only talking about “classic” phishing, but also about numerous other “derivative products” intended for the enterprise environment, such as Pharming, Spear phishing, Whaling, Smishing, Vishing, Business Email Compromise, Vendor Email Compromise (VEC), etc.
Last but not least, trap messages, which are increasingly credible, cannot be effectively blocked by either firewall systems or antivirus solutions.
Ignoring or downplaying the threat posed by phishing is a costly mistake for many companies – according to the 2023 Data Breach Investigations Report, more than a third (36%) of security breaches faced by organizations are based on such a threat (4) .
Recent research by security experts on the impact of phishing attacks shows that:
– 60% of affected businesses lost important information,
– 52% faced the compromise of access data,
– 47% were victims of a ransomware attack,
– 29% suffered a malware infection,
– 18% had direct financial losses.
However, the damage to the company’s reputation and even the legal implications are added to the list of damages.
Passive training does not produce the expected results
To achieve these results, hackers exploit the weakest link in the security system of organizations – the end users, respectively employees. They are the most exposed and vulnerable to phishing attacks, which trick them into divulging data, accessing malicious sites, and downloading malware onto their devices.
Therefore, the solution to prevent such critical situations is to train employees to recognize phishing attempts. Many companies do it and periodically issue information for staff on new types of emerging threats, recommended prevention methods, etc. However, as the presented statistics prove, the method does not give the expected results. The main reason is that information is a passive, low-yield method of learning.
A more effective way to do this is to conduct phishing tests and simulation exercises. The method involves sending emails or other fake phishing messages to employees to see how they react. Such exercises can help companies quickly identify end users who need additional training and understand where and what vulnerabilities can be exploited by attackers.
Tests and simulations allow dedicated training for employees who need it, focusing on how to recognize and respond to phishing attempts. The optimal method recommended by specialists is to regularly conduct tests and simulations of phishing attacks, followed by interactive training sessions targeted at the critical aspects detected.
Phriendly Phishing – testing, simulation, training
In order to achieve a reduction in the risk of phishing, however, it is necessary to periodically carry out such complete testing, simulation and training processes – a requirement that, for many organizations, represents a challenge. On the one hand, because they do not have the necessary skills, and on the other hand, because the development of these skills requires time, effort and money, investments that are difficult to amortize and which lead to the overloading of internal resources.
To support companies facing such challenges, Safetech Innovations brought the Phriendly Phishing platform to the Romanian market, which integrates several types of solutions and services. The platform is specially designed to raise the level of risk awareness among employees and constantly improve their skills in detecting the threats they face.
The Phriendly Phishing platform enables the automation of staff simulation and training processes and provides up-to-date information in this area. The training content is relevant and easy to remember, and Safetech can support the development of customizable step-by-step learning methods, hands-on attack simulation exercises and information reinforcement.
Analytics solutions integrated into the platform provide up-to-date information on the progress of ongoing awareness campaigns, the organization’s risk profile, staff performance, statistical trends and improvements achieved. At the same time, the platform allows the scheduling and implementation of courses in advance, benefits from automatic enrollment functionalities that eliminate the need to manually remove and add employees from the system or create groups, and is constantly updated with new micromodules as attack tactics evolve.
The efficiency of the learning methods provided through the Phriendly Phishing platform is confirmed by the numerous awards received to date, the most recent of which are the LearnX Awards 2022, Best Online Learning Model, and Best E-Learning Experience, awarded this year by The International E- Learning Association.
Threats to data are not limited to phishing, however. Poor work practices can also expose sensitive data – according to Verizon’s 2022 Data Breaches Investigations Report, 82% of security breaches last year involved the human factor (5). Through the Phriendly Phishing platform, Safetech offers companies the opportunity to raise awareness of data protection and cyber security among employees.
For more information about Safetech Innovations services and commercial offers, we invite you to contact us by email at sales@safetech.ro or by phone at 021 316 05 65.
______________________
1. https://apwg.org/trendsreports/
2. https://www.orange.ro/docs/business/pdf/Raport-RO-BIS-2022-update-nl.pdf
3. https://dnsc.ro/citeste/alerta-phishing-2023-romania-banci
4. https://www.verizon.com/business/resources/reports/dbir/
5. https://www.verizon.com/business/resources/reports/dbir/2022/master-guide/